search
Ctrlk
Download

Where Tempest Stores Your Credentials

Where Tempest stores secrets per platform — Keychain (macOS), Credential Manager (Windows), Secret Service (Linux) with in-memory fallback.

When Tempest needs to remember a secret across restarts — your vault unlock key, OAuth tokens, the device push token — it uses the operating system's secure credential store. Each platform has its own; Tempest picks the right one automatically. This page explains exactly what gets stored where and how the fallback behaves on systems without a usable keystore.

(For how vault contents themselves are encrypted before sync, see End-to-End Encryption. This page is about local secret storage.)

hashtag
What Tempest stores locally

Item
Why it's stored

Vault unlock key (or a wrapped form of it)

So you don't have to type your vault password on every launch

Sync session token

To keep you signed in across app restarts

Device push token

Long-lived per-device token used by Tempest Push (desktop)

OAuth2 refresh tokens

Renew sync sessions without re-typing credentials

Per-host credentials flagged as "save in keychain" (optional, opt-in)

So you can choose to skip vault-level encryption for low-risk hosts

Everything else (your hosts, snippets, SSH keys, certs) lives inside the encrypted vault — see End-to-End Encryption.

hashtag
Per-platform storage

hashtag
macOS — Keychain

Tempest stores secrets in the macOS Keychain under the service name app.gotempest.tempest. Secrets are protected by your macOS login password and (where available) Touch ID / system biometrics.

To inspect: open Keychain Access.app → search for "tempest".

hashtag
Windows — Windows Credential Manager

Tempest stores secrets in Windows Credential Manager (the same store used by Microsoft Edge, Outlook, and most Win32 apps). Secrets are protected by your Windows account password and DPAPI.

To inspect: Control Panel → User Accounts → Credential Manager → Windows Credentials → entries prefixed with tempest.

hashtag
Linux — Secret Service (libsecret)

Tempest uses the freedesktop Secret Service API — implemented by GNOME Keyring (default on GNOME, Cinnamon, Unity) or KWallet (default on KDE Plasma).

If you're running a desktop environment that ships either, you don't need to do anything. Tempest secrets show up in:

  • seahorse (GNOME Keyring viewer)

  • KWallet Manager

hashtag
In-memory fallback when no keystore is available

Some Linux setups have no Secret Service:

  • Minimal window managers (i3, sway, dwm, awesome) installed without GNOME Keyring or KWallet

  • Headless servers (no DBus session)

  • Some restricted enterprise installs

In these cases, Tempest falls back to an in-memory secret store. This means:

  • You'll be prompted to enter your vault password every time Tempest starts.

  • Sync session tokens are lost on restart, so you'll re-sign-in to your account too.

  • OAuth2 refresh tokens aren't persisted — same caveat.

This is intentional — writing secrets to a plaintext file on disk would be a worse outcome. To enable persistent secret storage, install a Secret Service implementation:

After install, restart Tempest. It'll detect the new keystore and start using it for the next session's secrets.

hashtag
Web Mode (browser)

When Tempest runs in Web Mode, there's no OS keystore the browser can write to. Instead:

  • Vault unlock key lives in session storage — cleared when you close the tab.

  • Sync session token lives in a secure HTTP-only cookie scoped to your Tempest server.

You'll need to re-enter your vault password each time you open Tempest in a new browser session. This is by design — browsers are too varied an environment to guarantee a secure persistent secret store.

hashtag
iOS / Android

Mobile platforms have first-class secure storage:

  • iOSKeychain Services, hardware-backed by the Secure Enclave when available.

  • AndroidAndroid Keystore, hardware-backed by StrongBox / TEE on supported devices.

Both are Tempest's default; no fallback is needed.

hashtag
How to wipe stored credentials

If you want to remove all Tempest secrets from the OS keystore:

Platform
Action

macOS

Keychain Access → search tempest → delete entries

Windows

Credential Manager → Windows Credentials → delete tempest:* entries

Linux (GNOME)

seahorse → Login keyring → delete tempest:* entries

Linux (KDE)

KWallet Manager → kdewallet → delete tempest:* entries

iOS / Android

Uninstall the app — secrets are scoped to the app's keychain entry

After wiping, your next Tempest launch starts cold: you'll re-enter your vault password and sign in to sync again.

hashtag
Security notes

  • Tempest never writes secrets to plaintext files or to its own SQLite database. Secrets are always either in the OS keystore or in process memory.

  • On macOS / Windows / iOS / Android, the keystore is hardware-protected (Secure Enclave / TPM / StrongBox where available).

  • On Linux, security depends on your Secret Service implementation. GNOME Keyring and KWallet both encrypt secrets at rest under your login password.

  • The in-memory fallback (Linux without keystore) is less convenient but not less secure — it just means you re-authenticate on every launch.

hashtag
See also

PreviousEnd-to-End Encryption (E2EE)NextReset Your Tempest Password (Sync Account & Vault)

Last updated